Third party vendor assessment is the process of evaluating the information security practices of vendors and other external organizations that provide goods or services to your organization. In ideal world, all your vendors should maintain same Infosec posturing as the organization. Though onus remains on the vendors but as an involved party - we need to do due diligence to ensure the adherence.

How does one do Third Party vendor Assessment?

Ensure that your vendor agreement contains a clause for adherence to information security requirements of the organization as below:

Vendor has agreed to provide services and/or products under the terms of that agreement (“Agreement”). Vendor agrees that it shall comply and shall cause Third Parties acting on its behalf to comply with the information security requirements contained in this document (“Vendor Information Security Requirements”). The assessment may include providing security posturing information from time to time or audit of the premises / people or processes.

Sample Vendor Information security requirements

A Vendor questionnaire needs to be designed to which all vendors are supposed to answer time to time - preferably quarterly or annually - as decided by management and agreed in agreement.

All vendor responses needs to be reviewed for any anomalies or inconsistencies to organization’s security posturing.

All inconsistencies needs to be captured in Risk Register and redressal mechanism needs to be defined.

What kind of Information is required from Vendors?

1. Profile Information

2. Vendor Name [Legal name of the organization like Amazon Pte Ltd]

3. Vendor’s Security Page URL [ The page where vendor has enlisted their security practices and adherence to infosec / privacy frameworks]]

4. Risk Level [ What kind of risk vendor cna cause if they go offline or they are not in compliance to our security posturing]

5. Vendor Type

6. SaaS [ Software as a Service]

7. PaaS [ Platform as a service]

8. IaaS [ Infrastructure as a Service]

9. Data Processor [ Third Party organization who is processing your production or non-production data]

10 .Vendor Security posturing Information

11. Security Practices overview including Product Security, App Security, Network Security, Corporate Security, Data Security, Endpoint Security and Access Control

12. All legal Documents like terms of usages, Privacy policy etc.

What is the ideal workflow within Konfirmity to be followed for Third Party Assessment?

1. Create a vendor [ Konfirmity-> Vendors]

2. Chose if vendors will respond to your custom questionnaire or konfirmity will need to scrape the infosec privacy related information from public sources]

3. You can also auto-create an asset along with creating the vendor for SaaS Vendors

4. Create all Assets belonging to the vendor [ Konfirmity -> Assets]

5. Define an asset owner

6. Define Criticality [ How critical is the asset for your organization to serve your customers?]

7. Define Confidentiality [ What is the level of confidential data this vendor handles with respect to your clients? Like if someone is managing your payment data - it needs to be categorised into strictly confidential, if a vendor is handling your user metadata - it could be categorised as low confidentiality ]

8. Define Integrity - [ What is the impact of vendor’s data integrity on your ability to serve your production clients]

9. Define availability [ Is your system directly dependent on vendor’s availability?

10. Ensure all users of assets are captured [ Konfirmity -> People -> Amit-> Assets]

‍